ASP.NET - A practical guide to the sanitization of user input

Question

I've spent most of my career writing applications for consumption within small to medium sized organizations. In those roles, I'd relied on regular expressions to validate the user's input (e.g. email, zipcode, phone # or to find and remove unwanted markup) and the AntiXSS library to protected against cross site scripting attacks.

After reading (ok, trolling) through the posts here, and after reading them I'm wondering that if what I am currently doing is enough, especially as more of my projects are becoming more outward facing.

My question is this: Is there are good tutorial with examples on best practices to sanitize user input? I found this article and this which deals with the XSS library and this thread on RefactorMyCode - I don't want to rely on just one facet to protect the site.

Any help/advice would be useful.

Thanks!

Answer 1

When in doubt, MSDN generally has good info: http://msdn.microsoft.com/en-us/library/ff647397.aspx

Basically, AntiXSS is pretty solid (nothing is perfect) for XSS attack prevention.

For SQL query protection, look at using parametrized queries..and even then, run them through a regex or two if you have the cycles :-)

This wiki has a bit different info about regex than anything in your post or mine thus far:

http://www.guidanceshare.com/wiki/ASP.NET_1.1_Security_Guidelines_-_Input_Validation

This article has an interesting VB function you could convert for ASP for checking a string for SQL injection. No promises on if it's effective. http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.3